Following the security breaches at Target and other major retailers, cybersecurity has emerged as one of the hottest topics of 2014. Companies have enjoyed enormous increases in productivity and profits as a result of Internet-related technologies.
However, with many organizations now storing more sensitive data in the cloud and through networked computing, the potential impact of a security breach on the public as well as company shareholders has grown exponentially.
So what is a corporate director to do? Since the Security and Exchange Commission’s cybersecurity guidance in October 2011, the SEC has strongly encouraged more disclosure of cybersecurity risks to inform investors whether such risks will materially affect current or future operational results. Specifically, the SEC has recommended disclosures of material costs related to preventive and remedial measures.
More recently, the National Institute of Standards and Technology (NIST) cybersecurity standards provided a common language for companies to describe their state of readiness for cybersecurity and opportunities to improve risk management.
Thankfully, directors are not expected to become IT experts. However, they must begin to treat cybersecurity risks much like they treat any other significant risk their company faces. As with other areas, courts generally will apply the business judgment rule to decisions made by directors in handling cybersecurity issues. Only if a plaintiff shows that a director has “failed to act in the face of a known duty to act, thereby demonstrating a conscious disregard for [his or her] responsibilities” might they have a claim for a breach of fiduciary duty. However, once directors are aware of specific threats to a company or, even worse, once a company has experienced a breach of some sort, directors must act quickly. A failure to respond adequately to a known threat or risk may lead to liability.
In order for directors to understand their cybersecurity risk and be able to effectively evaluate their options for reducing risk and build in privacy/security by design, we recommend they ask management to designate a chief privacy/security officer and/or team to provide oversight and completely and periodically report to the board of directors on the following issues:
- what type of sensitive data does the company collect, transmit and store, and what type of breach would be most damaging to the company, the public or shareholders?
- what liability risks were reported in the company’s risk assessment and audit of its privacy/security vulnerabilities, and what can be done to minimize them?
- have privacy and security principles, policies and procedures been implemented throughout the business?
- has the company or related third parties experienced any breaches in the past, and what has been done as a result?
- does the company have adequate cybersecurity insurance?
Armed with the information necessary to evaluate the risks to their company, directors can exercise their business judgment in determining how best to allocate the company’s resources, protect against cyber attacks and maintain investor value.
In this context – be sure to check out our upcoming seminar: Transatlantic Privacy Update: US vs. EU Privacy Regulations: A Comparison